From Dwayne Wright PMP, PMI-ACP, CSM
Certified FileMaker Developer
In most cases, FileMaker security needs are addressed after the database has been designed. I have even seen cases where security needs were thought about months after the database had gone LIVE. This is generally because planning security needs is hard ... real hard and it’s not fun ... not even a little bit fun.
Planning security is like asking yourself, what level of paranoia am I comfortable with ... but on the other hand ... just because you are paranoid ... doesn’t mean a lack of correct security settings cannot jump up and really ruin your day.
My advice is to start of by separating the FileMaker aspects from the business need aspects. Planning security settings without intimate knowledge of the business is NOT a good idea. If possible, try to group your users into 5 or 6 categories. These categories will be organized by the level of need in respect to ... what they can do ... and ... what they can see. What They Can Do & What They Can See is something that can be applied to layouts, fields, scripts and even relationships.
From the FileMaker perspective, apply the see/do determination to the setup of FileMaker accounts and privilege sets. From there you can layer additional design security features by inventive use of calculations and scripts.
Remember, your security scheme can have many layers ( like an onion ). It is always a good idea to document your solutions security settings. FileMaker doesn’t help much here, it doesn’t print out security settings. However, you can use other tools to help in documenting your database files security settings. With the use of some of the status / design functions, DDR from FileMaker Developers Edition or other third party database documentation products.
Decide if you are going to create individual accounts for each user, shared accounts for many users or a mixed set of individual & shared accounts.
Decide if you need guest access to the file. In most cases, this should be a "No". Guest access does introduce a level of security risk. No two ways about it, if anyone can get in, then it’s possible the wrong someone will get in. There are even products out there ( typically for programs other than FileMaker ) that make cracking / hacking easy.
Determine, create and document the privilege sets that you are going to be using in the file. This includes the need of turning on or off extended privilege sets ( like for web browser access ) . As with guest access, this will normally be no. If you need this access, then you may need to address other possible security needs unique to that extended privilege set capabilities.
From time to time, review your security plan. You should think about reviewing your security plan is there is a significant change in your business world. It is always possible that whole departments can be created or eliminated during business reorganization. Obviously this kind of organization change in the real world calls for a review of you security documentation. You may also schedule a regular date for security review. This could even be part of a larger, overall review of your FileMaker solution.
More info about the author and FileMaker in general, contact me at firstname.lastname@example.org.
© 2007 - Dwayne Wright - dwaynewright.com
The material on this document is offered AS IS. There is NO REPRESENTATION OR WARRANTY, expressed or implied, nor does any other contributor to this document. WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. Consequential and incidental damages are expressly excluded. FileMaker Pro is the registered trademark of FileMaker Inc.